Florian I'm happy to look at this now with you But based on the old discussion I'm not certain I'm happy with the final result.
IMO - here's what we need in these: 1) If you specify nothing, you should get the default. 2) If you specify a CAfile, and there is no failure in loading it, you should get that. 3) If any failure occurs in either case 1 or case 2 the program should fail. Do not continue with something else. Try for the above On Fri, Apr 1, 2016 at 5:29 AM, Florian Zumbiehl <fl...@florz.de> wrote: > Hi, > > it occured to me that this patch that I submitted quite a while ago still > hasn't been merged and discussion about it back then got stuck due to a > release being prepared or something--so, here I submit it again, though you > might want to read the discussion on the thread from 2014 that I am > replying to ... > > Regards, Florian > > -------------------------------------------------------------------------- > > This is a fix for OpenSSL tickets #977 and #3213, loosely based on patch from > Reuben Thomas from #3213. > --- > src/apps/s_client.c | 5 +++-- > src/apps/s_server.c | 10 ++++++---- > src/apps/s_time.c | 5 +++-- > 3 files changed, 12 insertions(+), 8 deletions(-) > > diff --git a/src/apps/s_client.c b/src/apps/s_client.c > index f693d10..3ffedcc 100644 > --- a/src/apps/s_client.c > +++ b/src/apps/s_client.c > @@ -870,8 +870,9 @@ bad: > if (!set_cert_key_stuff(ctx, cert, key)) > goto end; > > - if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || > - (!SSL_CTX_set_default_verify_paths(ctx))) { > + if (!((CAfile || CApath) ? > + SSL_CTX_load_verify_locations(ctx, CAfile, CApath) : > + SSL_CTX_set_default_verify_paths(ctx))) { > /* > * BIO_printf(bio_err,"error setting default verify > * locations\n"); > diff --git a/src/apps/s_server.c b/src/apps/s_server.c > index 3f71740..9a20deb 100644 > --- a/src/apps/s_server.c > +++ b/src/apps/s_server.c > @@ -1167,8 +1167,9 @@ bad: > #endif > > > - if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || > - (!SSL_CTX_set_default_verify_paths(ctx))) { > + if (!((CAfile || CApath) ? > + SSL_CTX_load_verify_locations(ctx, CAfile, CApath) : > + SSL_CTX_set_default_verify_paths(ctx))) { > /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ > ERR_print_errors(bio_err); > /* goto end; */ > @@ -1222,8 +1223,9 @@ bad: > else > SSL_CTX_sess_set_cache_size(ctx2, 128); > > - if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) || > - (!SSL_CTX_set_default_verify_paths(ctx2))) { > + if (!((CAfile || CApath) ? > + SSL_CTX_load_verify_locations(ctx2, CAfile, > CApath) : > + SSL_CTX_set_default_verify_paths(ctx2))) { > ERR_print_errors(bio_err); > } > if (vpm) > diff --git a/src/apps/s_time.c b/src/apps/s_time.c > index 960ba4e..4dbd906 100644 > --- a/src/apps/s_time.c > +++ b/src/apps/s_time.c > @@ -346,8 +346,9 @@ s_time_main(int argc, char **argv) > > SSL_load_error_strings(); > > - if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) || > - (!SSL_CTX_set_default_verify_paths(tm_ctx))) { > + if (!((CAfile || CApath) ? > + SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath) > : > + SSL_CTX_set_default_verify_paths(tm_ctx))) { > /* > * BIO_printf(bio_err,"error setting default verify > * locations\n"); > -- > 1.7.10.4 >